Authentication from Active Directory and Database based user detai

Discussion in 'ASP .Net Security' started by Jono Jones, Apr 21, 2006.

  1. Jono Jones

    Jono Jones Guest

    Hi there,

    We have 500 users on our network. I'm writing a web system (asp.net) where
    you can create a user and give them access to various sections of the site.

    To create a user you select and existing Active Directory user and just
    attach their permissions (to see different web pages/options on web pages)
    then save it to a database.

    The purpose is to have the system hanging off the intranet and it will
    seamlessly let registered users use the system without logging one (i.e. the
    fact they they are logged into windows is enough).

    In the default page I can pick up up the user logged into the machine and
    test against my DB like so:

    If temp.isUserRegistered(HttpContext.Current.User.Identity.Name().Split("\",
    2)(1)) Then

    FormsAuthentication.RedirectFromLoginPage(HttpContext.Current.User.Identity.Name().Split("\", 2)(1), False)
    Response.Redirect("menu.aspx")
    end if

    What do I need to have set in iis and web.config to prevent users from just
    typing in the url for the menu to get into the system. I've had this working
    before with forms but not sure with this check with AD users.

    Further to this, how would I prevent certain content on a page being
    displayed to a user that doesn't have access to see that particularlink for
    example (and example might be a button to take you to the admin section, I
    don't want the button to be visible a normal user and I don't want a normal
    user to able to just browse to the admin.aspx page).

    One stipulation is that I can't have a seperate fodler for each type of
    access and thus have separate web.config files.

    Just to make it clear, the permissions are set in my web system and stored
    on my DB. I'm only using AD to check that the user currently logged in to
    windows is a user within this system (i.e. their username has been stored in
    DB with some permissions).

    Many thanks for any help on this one.

    Jono
     
    Jono Jones, Apr 21, 2006
    #1
    1. Advertising

  2. Have you considered using forms authentication in your application coupled
    with Windows integrated authentication at the IIS level? Rather than having
    a login page that prompts users for their credentials, you could then simply
    read their AD account name from the LOGON_USER server variable. The role
    set would be populated from the db as in any typical forms authentication
    scenario.

    For setting up page-specific authorization, you don't need separate
    web.config files. Instead, you can use the system.web\location element to
    set up different access rules for any pages or sub-directories that required
    separate configuration.



    "Jono Jones" <> wrote in message
    news:...
    > Hi there,
    >
    > We have 500 users on our network. I'm writing a web system (asp.net) where
    > you can create a user and give them access to various sections of the
    > site.
    >
    > To create a user you select and existing Active Directory user and just
    > attach their permissions (to see different web pages/options on web pages)
    > then save it to a database.
    >
    > The purpose is to have the system hanging off the intranet and it will
    > seamlessly let registered users use the system without logging one (i.e.
    > the
    > fact they they are logged into windows is enough).
    >
    > In the default page I can pick up up the user logged into the machine and
    > test against my DB like so:
    >
    > If
    > temp.isUserRegistered(HttpContext.Current.User.Identity.Name().Split("\",
    > 2)(1)) Then
    >
    > FormsAuthentication.RedirectFromLoginPage(HttpContext.Current.User.Identity.Name().Split("\",
    > 2)(1), False)
    > Response.Redirect("menu.aspx")
    > end if
    >
    > What do I need to have set in iis and web.config to prevent users from
    > just
    > typing in the url for the menu to get into the system. I've had this
    > working
    > before with forms but not sure with this check with AD users.
    >
    > Further to this, how would I prevent certain content on a page being
    > displayed to a user that doesn't have access to see that particularlink
    > for
    > example (and example might be a button to take you to the admin section, I
    > don't want the button to be visible a normal user and I don't want a
    > normal
    > user to able to just browse to the admin.aspx page).
    >
    > One stipulation is that I can't have a seperate fodler for each type of
    > access and thus have separate web.config files.
    >
    > Just to make it clear, the permissions are set in my web system and stored
    > on my DB. I'm only using AD to check that the user currently logged in to
    > windows is a user within this system (i.e. their username has been stored
    > in
    > DB with some permissions).
    >
    > Many thanks for any help on this one.
    >
    > Jono
    >
    >
     
    Nicole Calinoiu, Apr 21, 2006
    #2
    1. Advertising

  3. Jono Jones

    Jono Jones Guest

    Re: Authentication from Active Directory and Database based user d

    Hi there,

    Thanks for your reply. Could you fill in some more details about your
    proposed solution?

    Any answers are very much appreciated,

    Cheers,

    Jono

    "Nicole Calinoiu" wrote:

    > Have you considered using forms authentication in your application coupled
    > with Windows integrated authentication at the IIS level? Rather than having
    > a login page that prompts users for their credentials, you could then simply
    > read their AD account name from the LOGON_USER server variable. The role
    > set would be populated from the db as in any typical forms authentication
    > scenario.
    >
    > For setting up page-specific authorization, you don't need separate
    > web.config files. Instead, you can use the system.web\location element to
    > set up different access rules for any pages or sub-directories that required
    > separate configuration.
    >
    >
    >
    > "Jono Jones" <> wrote in message
    > news:...
    > > Hi there,
    > >
    > > We have 500 users on our network. I'm writing a web system (asp.net) where
    > > you can create a user and give them access to various sections of the
    > > site.
    > >
    > > To create a user you select and existing Active Directory user and just
    > > attach their permissions (to see different web pages/options on web pages)
    > > then save it to a database.
    > >
    > > The purpose is to have the system hanging off the intranet and it will
    > > seamlessly let registered users use the system without logging one (i.e.
    > > the
    > > fact they they are logged into windows is enough).
    > >
    > > In the default page I can pick up up the user logged into the machine and
    > > test against my DB like so:
    > >
    > > If
    > > temp.isUserRegistered(HttpContext.Current.User.Identity.Name().Split("\",
    > > 2)(1)) Then
    > >
    > > FormsAuthentication.RedirectFromLoginPage(HttpContext.Current.User.Identity.Name().Split("\",
    > > 2)(1), False)
    > > Response.Redirect("menu.aspx")
    > > end if
    > >
    > > What do I need to have set in iis and web.config to prevent users from
    > > just
    > > typing in the url for the menu to get into the system. I've had this
    > > working
    > > before with forms but not sure with this check with AD users.
    > >
    > > Further to this, how would I prevent certain content on a page being
    > > displayed to a user that doesn't have access to see that particularlink
    > > for
    > > example (and example might be a button to take you to the admin section, I
    > > don't want the button to be visible a normal user and I don't want a
    > > normal
    > > user to able to just browse to the admin.aspx page).
    > >
    > > One stipulation is that I can't have a seperate fodler for each type of
    > > access and thus have separate web.config files.
    > >
    > > Just to make it clear, the permissions are set in my web system and stored
    > > on my DB. I'm only using AD to check that the user currently logged in to
    > > windows is a user within this system (i.e. their username has been stored
    > > in
    > > DB with some permissions).
    > >
    > > Many thanks for any help on this one.
    > >
    > > Jono
    > >
    > >

    >
    >
     
    Jono Jones, Apr 21, 2006
    #3
  4. Re: Authentication from Active Directory and Database based user d

    What sort of details do you need?


    "Jono Jones" <> wrote in message
    news:...
    > Hi there,
    >
    > Thanks for your reply. Could you fill in some more details about your
    > proposed solution?
    >
    > Any answers are very much appreciated,
    >
    > Cheers,
    >
    > Jono
    >
    > "Nicole Calinoiu" wrote:
    >
    >> Have you considered using forms authentication in your application
    >> coupled
    >> with Windows integrated authentication at the IIS level? Rather than
    >> having
    >> a login page that prompts users for their credentials, you could then
    >> simply
    >> read their AD account name from the LOGON_USER server variable. The role
    >> set would be populated from the db as in any typical forms authentication
    >> scenario.
    >>
    >> For setting up page-specific authorization, you don't need separate
    >> web.config files. Instead, you can use the system.web\location element
    >> to
    >> set up different access rules for any pages or sub-directories that
    >> required
    >> separate configuration.
    >>
    >>
    >>
    >> "Jono Jones" <> wrote in message
    >> news:...
    >> > Hi there,
    >> >
    >> > We have 500 users on our network. I'm writing a web system (asp.net)
    >> > where
    >> > you can create a user and give them access to various sections of the
    >> > site.
    >> >
    >> > To create a user you select and existing Active Directory user and just
    >> > attach their permissions (to see different web pages/options on web
    >> > pages)
    >> > then save it to a database.
    >> >
    >> > The purpose is to have the system hanging off the intranet and it will
    >> > seamlessly let registered users use the system without logging one
    >> > (i.e.
    >> > the
    >> > fact they they are logged into windows is enough).
    >> >
    >> > In the default page I can pick up up the user logged into the machine
    >> > and
    >> > test against my DB like so:
    >> >
    >> > If
    >> > temp.isUserRegistered(HttpContext.Current.User.Identity.Name().Split("\",
    >> > 2)(1)) Then
    >> >
    >> > FormsAuthentication.RedirectFromLoginPage(HttpContext.Current.User.Identity.Name().Split("\",
    >> > 2)(1), False)
    >> > Response.Redirect("menu.aspx")
    >> > end if
    >> >
    >> > What do I need to have set in iis and web.config to prevent users from
    >> > just
    >> > typing in the url for the menu to get into the system. I've had this
    >> > working
    >> > before with forms but not sure with this check with AD users.
    >> >
    >> > Further to this, how would I prevent certain content on a page being
    >> > displayed to a user that doesn't have access to see that particularlink
    >> > for
    >> > example (and example might be a button to take you to the admin
    >> > section, I
    >> > don't want the button to be visible a normal user and I don't want a
    >> > normal
    >> > user to able to just browse to the admin.aspx page).
    >> >
    >> > One stipulation is that I can't have a seperate fodler for each type of
    >> > access and thus have separate web.config files.
    >> >
    >> > Just to make it clear, the permissions are set in my web system and
    >> > stored
    >> > on my DB. I'm only using AD to check that the user currently logged in
    >> > to
    >> > windows is a user within this system (i.e. their username has been
    >> > stored
    >> > in
    >> > DB with some permissions).
    >> >
    >> > Many thanks for any help on this one.
    >> >
    >> > Jono
    >> >
    >> >

    >>
    >>
     
    Nicole Calinoiu, Apr 21, 2006
    #4
  5. Jono Jones

    Jono Jones Guest

    Re: Authentication from Active Directory and Database based user d

    Hi Nicole,

    I guess I'm asking for a simple example you could point to or give here.

    I'll start looking into this today, but I'm not too clear on where I'll go
    with this (I'm not too clear on the permissions to see a page or actual
    components on a page, depending on oyur level of acces).

    Many thanks for your help, I'll start by looking at Forms authentication
    again.

    Jono

    "Nicole Calinoiu" wrote:

    > What sort of details do you need?
    >
    >
    > "Jono Jones" <> wrote in message
    > news:...
    > > Hi there,
    > >
    > > Thanks for your reply. Could you fill in some more details about your
    > > proposed solution?
    > >
    > > Any answers are very much appreciated,
    > >
    > > Cheers,
    > >
    > > Jono
    > >
    > > "Nicole Calinoiu" wrote:
    > >
    > >> Have you considered using forms authentication in your application
    > >> coupled
    > >> with Windows integrated authentication at the IIS level? Rather than
    > >> having
    > >> a login page that prompts users for their credentials, you could then
    > >> simply
    > >> read their AD account name from the LOGON_USER server variable. The role
    > >> set would be populated from the db as in any typical forms authentication
    > >> scenario.
    > >>
    > >> For setting up page-specific authorization, you don't need separate
    > >> web.config files. Instead, you can use the system.web\location element
    > >> to
    > >> set up different access rules for any pages or sub-directories that
    > >> required
    > >> separate configuration.
    > >>
    > >>
    > >>
    > >> "Jono Jones" <> wrote in message
    > >> news:...
    > >> > Hi there,
    > >> >
    > >> > We have 500 users on our network. I'm writing a web system (asp.net)
    > >> > where
    > >> > you can create a user and give them access to various sections of the
    > >> > site.
    > >> >
    > >> > To create a user you select and existing Active Directory user and just
    > >> > attach their permissions (to see different web pages/options on web
    > >> > pages)
    > >> > then save it to a database.
    > >> >
    > >> > The purpose is to have the system hanging off the intranet and it will
    > >> > seamlessly let registered users use the system without logging one
    > >> > (i.e.
    > >> > the
    > >> > fact they they are logged into windows is enough).
    > >> >
    > >> > In the default page I can pick up up the user logged into the machine
    > >> > and
    > >> > test against my DB like so:
    > >> >
    > >> > If
    > >> > temp.isUserRegistered(HttpContext.Current.User.Identity.Name().Split("\",
    > >> > 2)(1)) Then
    > >> >
    > >> > FormsAuthentication.RedirectFromLoginPage(HttpContext.Current.User.Identity.Name().Split("\",
    > >> > 2)(1), False)
    > >> > Response.Redirect("menu.aspx")
    > >> > end if
    > >> >
    > >> > What do I need to have set in iis and web.config to prevent users from
    > >> > just
    > >> > typing in the url for the menu to get into the system. I've had this
    > >> > working
    > >> > before with forms but not sure with this check with AD users.
    > >> >
    > >> > Further to this, how would I prevent certain content on a page being
    > >> > displayed to a user that doesn't have access to see that particularlink
    > >> > for
    > >> > example (and example might be a button to take you to the admin
    > >> > section, I
    > >> > don't want the button to be visible a normal user and I don't want a
    > >> > normal
    > >> > user to able to just browse to the admin.aspx page).
    > >> >
    > >> > One stipulation is that I can't have a seperate fodler for each type of
    > >> > access and thus have separate web.config files.
    > >> >
    > >> > Just to make it clear, the permissions are set in my web system and
    > >> > stored
    > >> > on my DB. I'm only using AD to check that the user currently logged in
    > >> > to
    > >> > windows is a user within this system (i.e. their username has been
    > >> > stored
    > >> > in
    > >> > DB with some permissions).
    > >> >
    > >> > Many thanks for any help on this one.
    > >> >
    > >> > Jono
    > >> >
    > >> >
    > >>
    > >>

    >
    >
     
    Jono Jones, Apr 24, 2006
    #5
  6. Jono Jones

    Jono Jones Guest

    Re: Authentication from Active Directory and Database based user d

    Hi again,

    Not sure if the system.web\location options would give me what I need. When
    coding jsp struts I'm sure there was a tag you placed around a control that
    checked for access permision before displaying it (e.g. an admin button).
    Note sure how to use system.web\location to check for users in the database
    (e.g. user can view this page if logged and AND has right to view page).

    Any help much appreciated. If anyone has any other options that have worked
    well for them?

    Jono

    "Nicole Calinoiu" wrote:

    > What sort of details do you need?
    >
    >
    > "Jono Jones" <> wrote in message
    > news:...
    > > Hi there,
    > >
    > > Thanks for your reply. Could you fill in some more details about your
    > > proposed solution?
    > >
    > > Any answers are very much appreciated,
    > >
    > > Cheers,
    > >
    > > Jono
    > >
    > > "Nicole Calinoiu" wrote:
    > >
    > >> Have you considered using forms authentication in your application
    > >> coupled
    > >> with Windows integrated authentication at the IIS level? Rather than
    > >> having
    > >> a login page that prompts users for their credentials, you could then
    > >> simply
    > >> read their AD account name from the LOGON_USER server variable. The role
    > >> set would be populated from the db as in any typical forms authentication
    > >> scenario.
    > >>
    > >> For setting up page-specific authorization, you don't need separate
    > >> web.config files. Instead, you can use the system.web\location element
    > >> to
    > >> set up different access rules for any pages or sub-directories that
    > >> required
    > >> separate configuration.
    > >>
    > >>
    > >>
    > >> "Jono Jones" <> wrote in message
    > >> news:...
    > >> > Hi there,
    > >> >
    > >> > We have 500 users on our network. I'm writing a web system (asp.net)
    > >> > where
    > >> > you can create a user and give them access to various sections of the
    > >> > site.
    > >> >
    > >> > To create a user you select and existing Active Directory user and just
    > >> > attach their permissions (to see different web pages/options on web
    > >> > pages)
    > >> > then save it to a database.
    > >> >
    > >> > The purpose is to have the system hanging off the intranet and it will
    > >> > seamlessly let registered users use the system without logging one
    > >> > (i.e.
    > >> > the
    > >> > fact they they are logged into windows is enough).
    > >> >
    > >> > In the default page I can pick up up the user logged into the machine
    > >> > and
    > >> > test against my DB like so:
    > >> >
    > >> > If
    > >> > temp.isUserRegistered(HttpContext.Current.User.Identity.Name().Split("\",
    > >> > 2)(1)) Then
    > >> >
    > >> > FormsAuthentication.RedirectFromLoginPage(HttpContext.Current.User.Identity.Name().Split("\",
    > >> > 2)(1), False)
    > >> > Response.Redirect("menu.aspx")
    > >> > end if
    > >> >
    > >> > What do I need to have set in iis and web.config to prevent users from
    > >> > just
    > >> > typing in the url for the menu to get into the system. I've had this
    > >> > working
    > >> > before with forms but not sure with this check with AD users.
    > >> >
    > >> > Further to this, how would I prevent certain content on a page being
    > >> > displayed to a user that doesn't have access to see that particularlink
    > >> > for
    > >> > example (and example might be a button to take you to the admin
    > >> > section, I
    > >> > don't want the button to be visible a normal user and I don't want a
    > >> > normal
    > >> > user to able to just browse to the admin.aspx page).
    > >> >
    > >> > One stipulation is that I can't have a seperate fodler for each type of
    > >> > access and thus have separate web.config files.
    > >> >
    > >> > Just to make it clear, the permissions are set in my web system and
    > >> > stored
    > >> > on my DB. I'm only using AD to check that the user currently logged in
    > >> > to
    > >> > windows is a user within this system (i.e. their username has been
    > >> > stored
    > >> > in
    > >> > DB with some permissions).
    > >> >
    > >> > Many thanks for any help on this one.
    > >> >
    > >> > Jono
    > >> >
    > >> >
    > >>
    > >>

    >
    >
     
    Jono Jones, Apr 24, 2006
    #6
  7. Re: Authentication from Active Directory and Database based user d

    "Jono Jones" <> wrote in message
    news:...
    > Hi Nicole,
    >
    > I guess I'm asking for a simple example you could point to or give here.


    Sorry, I don't know of any existing examples. If you get really stuck, let
    me know, and I'll try to find some time to write one up.


    > I'll start looking into this today, but I'm not too clear on where I'll go
    > with this (I'm not too clear on the permissions to see a page or actual
    > components on a page, depending on oyur level of acces).


    You mentioned earlier in the thread that you've used formas authentication
    in the past. Did you use it only for authentication, or did you also use
    role-based authorization?


    > Many thanks for your help, I'll start by looking at Forms authentication
    > again.
    >
    > Jono
    >
    > "Nicole Calinoiu" wrote:
    >
    >> What sort of details do you need?
    >>
    >>
    >> "Jono Jones" <> wrote in message
    >> news:...
    >> > Hi there,
    >> >
    >> > Thanks for your reply. Could you fill in some more details about your
    >> > proposed solution?
    >> >
    >> > Any answers are very much appreciated,
    >> >
    >> > Cheers,
    >> >
    >> > Jono
    >> >
    >> > "Nicole Calinoiu" wrote:
    >> >
    >> >> Have you considered using forms authentication in your application
    >> >> coupled
    >> >> with Windows integrated authentication at the IIS level? Rather than
    >> >> having
    >> >> a login page that prompts users for their credentials, you could then
    >> >> simply
    >> >> read their AD account name from the LOGON_USER server variable. The
    >> >> role
    >> >> set would be populated from the db as in any typical forms
    >> >> authentication
    >> >> scenario.
    >> >>
    >> >> For setting up page-specific authorization, you don't need separate
    >> >> web.config files. Instead, you can use the system.web\location
    >> >> element
    >> >> to
    >> >> set up different access rules for any pages or sub-directories that
    >> >> required
    >> >> separate configuration.
    >> >>
    >> >>
    >> >>
    >> >> "Jono Jones" <> wrote in message
    >> >> news:...
    >> >> > Hi there,
    >> >> >
    >> >> > We have 500 users on our network. I'm writing a web system (asp.net)
    >> >> > where
    >> >> > you can create a user and give them access to various sections of
    >> >> > the
    >> >> > site.
    >> >> >
    >> >> > To create a user you select and existing Active Directory user and
    >> >> > just
    >> >> > attach their permissions (to see different web pages/options on web
    >> >> > pages)
    >> >> > then save it to a database.
    >> >> >
    >> >> > The purpose is to have the system hanging off the intranet and it
    >> >> > will
    >> >> > seamlessly let registered users use the system without logging one
    >> >> > (i.e.
    >> >> > the
    >> >> > fact they they are logged into windows is enough).
    >> >> >
    >> >> > In the default page I can pick up up the user logged into the
    >> >> > machine
    >> >> > and
    >> >> > test against my DB like so:
    >> >> >
    >> >> > If
    >> >> > temp.isUserRegistered(HttpContext.Current.User.Identity.Name().Split("\",
    >> >> > 2)(1)) Then
    >> >> >
    >> >> > FormsAuthentication.RedirectFromLoginPage(HttpContext.Current.User.Identity.Name().Split("\",
    >> >> > 2)(1), False)
    >> >> > Response.Redirect("menu.aspx")
    >> >> > end if
    >> >> >
    >> >> > What do I need to have set in iis and web.config to prevent users
    >> >> > from
    >> >> > just
    >> >> > typing in the url for the menu to get into the system. I've had this
    >> >> > working
    >> >> > before with forms but not sure with this check with AD users.
    >> >> >
    >> >> > Further to this, how would I prevent certain content on a page being
    >> >> > displayed to a user that doesn't have access to see that
    >> >> > particularlink
    >> >> > for
    >> >> > example (and example might be a button to take you to the admin
    >> >> > section, I
    >> >> > don't want the button to be visible a normal user and I don't want a
    >> >> > normal
    >> >> > user to able to just browse to the admin.aspx page).
    >> >> >
    >> >> > One stipulation is that I can't have a seperate fodler for each type
    >> >> > of
    >> >> > access and thus have separate web.config files.
    >> >> >
    >> >> > Just to make it clear, the permissions are set in my web system and
    >> >> > stored
    >> >> > on my DB. I'm only using AD to check that the user currently logged
    >> >> > in
    >> >> > to
    >> >> > windows is a user within this system (i.e. their username has been
    >> >> > stored
    >> >> > in
    >> >> > DB with some permissions).
    >> >> >
    >> >> > Many thanks for any help on this one.
    >> >> >
    >> >> > Jono
    >> >> >
    >> >> >
    >> >>
    >> >>

    >>
    >>
     
    Nicole Calinoiu, Apr 24, 2006
    #7
  8. Re: Authentication from Active Directory and Database based user d

    "Jono Jones" <> wrote in message
    news:...
    > Hi again,
    >
    > Not sure if the system.web\location options would give me what I need.
    > When
    > coding jsp struts I'm sure there was a tag you placed around a control
    > that
    > checked for access permision before displaying it (e.g. an admin button).
    > Note sure how to use system.web\location to check for users in the
    > database
    > (e.g. user can view this page if logged and AND has right to view page).


    If you configure IIS to only use Windows integrated authentication for your
    application, you don't need to worry if the user is "logged in" since it
    won't be possible for users to anonymously access the site. Therefore,
    you'll only need to worry about authorization based on assigned roles. The
    location elements can take care of this at the page level. e.g. (only
    authorization elements shown):

    <configuration>
    <system.web>
    <authorization>
    <allow roles="Admins" />
    <deny users="*" />
    </authorization>
    </system.web>
    <location path="SomeFile.aspx">
    <system.web>
    <authorization>
    <allow roles="Admins, RoleA, RoleB" />
    <deny users="* "/>
    </authorization>
    </system.web>
    </location>
    </configuration>

    If you're using fx 2.0, you can use the LoginView control for controlling if
    or how data is displayed based on user roles. There is no built-in
    mechanism for handling within-page section suppression based on roles in fx
    1.x. You could write code to hide elements that shouldn't be shown on a
    one-off basis, but that could get tedious pretty quickly if you have a lot
    of these. A somewhat more elegant approach would be to create a container
    control that would do this for you based on a list of allowed users or
    roles.


    > Any help much appreciated. If anyone has any other options that have
    > worked
    > well for them?
    >
    > Jono
    >
    > "Nicole Calinoiu" wrote:
    >
    >> What sort of details do you need?
    >>
    >>
    >> "Jono Jones" <> wrote in message
    >> news:...
    >> > Hi there,
    >> >
    >> > Thanks for your reply. Could you fill in some more details about your
    >> > proposed solution?
    >> >
    >> > Any answers are very much appreciated,
    >> >
    >> > Cheers,
    >> >
    >> > Jono
    >> >
    >> > "Nicole Calinoiu" wrote:
    >> >
    >> >> Have you considered using forms authentication in your application
    >> >> coupled
    >> >> with Windows integrated authentication at the IIS level? Rather than
    >> >> having
    >> >> a login page that prompts users for their credentials, you could then
    >> >> simply
    >> >> read their AD account name from the LOGON_USER server variable. The
    >> >> role
    >> >> set would be populated from the db as in any typical forms
    >> >> authentication
    >> >> scenario.
    >> >>
    >> >> For setting up page-specific authorization, you don't need separate
    >> >> web.config files. Instead, you can use the system.web\location
    >> >> element
    >> >> to
    >> >> set up different access rules for any pages or sub-directories that
    >> >> required
    >> >> separate configuration.
    >> >>
    >> >>
    >> >>
    >> >> "Jono Jones" <> wrote in message
    >> >> news:...
    >> >> > Hi there,
    >> >> >
    >> >> > We have 500 users on our network. I'm writing a web system (asp.net)
    >> >> > where
    >> >> > you can create a user and give them access to various sections of
    >> >> > the
    >> >> > site.
    >> >> >
    >> >> > To create a user you select and existing Active Directory user and
    >> >> > just
    >> >> > attach their permissions (to see different web pages/options on web
    >> >> > pages)
    >> >> > then save it to a database.
    >> >> >
    >> >> > The purpose is to have the system hanging off the intranet and it
    >> >> > will
    >> >> > seamlessly let registered users use the system without logging one
    >> >> > (i.e.
    >> >> > the
    >> >> > fact they they are logged into windows is enough).
    >> >> >
    >> >> > In the default page I can pick up up the user logged into the
    >> >> > machine
    >> >> > and
    >> >> > test against my DB like so:
    >> >> >
    >> >> > If
    >> >> > temp.isUserRegistered(HttpContext.Current.User.Identity.Name().Split("\",
    >> >> > 2)(1)) Then
    >> >> >
    >> >> > FormsAuthentication.RedirectFromLoginPage(HttpContext.Current.User.Identity.Name().Split("\",
    >> >> > 2)(1), False)
    >> >> > Response.Redirect("menu.aspx")
    >> >> > end if
    >> >> >
    >> >> > What do I need to have set in iis and web.config to prevent users
    >> >> > from
    >> >> > just
    >> >> > typing in the url for the menu to get into the system. I've had this
    >> >> > working
    >> >> > before with forms but not sure with this check with AD users.
    >> >> >
    >> >> > Further to this, how would I prevent certain content on a page being
    >> >> > displayed to a user that doesn't have access to see that
    >> >> > particularlink
    >> >> > for
    >> >> > example (and example might be a button to take you to the admin
    >> >> > section, I
    >> >> > don't want the button to be visible a normal user and I don't want a
    >> >> > normal
    >> >> > user to able to just browse to the admin.aspx page).
    >> >> >
    >> >> > One stipulation is that I can't have a seperate fodler for each type
    >> >> > of
    >> >> > access and thus have separate web.config files.
    >> >> >
    >> >> > Just to make it clear, the permissions are set in my web system and
    >> >> > stored
    >> >> > on my DB. I'm only using AD to check that the user currently logged
    >> >> > in
    >> >> > to
    >> >> > windows is a user within this system (i.e. their username has been
    >> >> > stored
    >> >> > in
    >> >> > DB with some permissions).
    >> >> >
    >> >> > Many thanks for any help on this one.
    >> >> >
    >> >> > Jono
    >> >> >
    >> >> >
    >> >>
    >> >>

    >>
    >>
     
    Nicole Calinoiu, Apr 24, 2006
    #8
  9. Jono Jones

    Jono Jones Guest

    Re: Authentication from Active Directory and Database based user d

    Hi Nicole,

    Thanks for this. I'll give it a go.

    My only worry is that I can't set roles in active diretory, I only have
    roles in my database. So I guess I need to test for permission on a page and
    redirect using transfer if I you have no permission?

    Jono


    "Nicole Calinoiu" wrote:

    > "Jono Jones" <> wrote in message
    > news:...
    > > Hi again,
    > >
    > > Not sure if the system.web\location options would give me what I need.
    > > When
    > > coding jsp struts I'm sure there was a tag you placed around a control
    > > that
    > > checked for access permision before displaying it (e.g. an admin button).
    > > Note sure how to use system.web\location to check for users in the
    > > database
    > > (e.g. user can view this page if logged and AND has right to view page).

    >
    > If you configure IIS to only use Windows integrated authentication for your
    > application, you don't need to worry if the user is "logged in" since it
    > won't be possible for users to anonymously access the site. Therefore,
    > you'll only need to worry about authorization based on assigned roles. The
    > location elements can take care of this at the page level. e.g. (only
    > authorization elements shown):
    >
    > <configuration>
    > <system.web>
    > <authorization>
    > <allow roles="Admins" />
    > <deny users="*" />
    > </authorization>
    > </system.web>
    > <location path="SomeFile.aspx">
    > <system.web>
    > <authorization>
    > <allow roles="Admins, RoleA, RoleB" />
    > <deny users="* "/>
    > </authorization>
    > </system.web>
    > </location>
    > </configuration>
    >
    > If you're using fx 2.0, you can use the LoginView control for controlling if
    > or how data is displayed based on user roles. There is no built-in
    > mechanism for handling within-page section suppression based on roles in fx
    > 1.x. You could write code to hide elements that shouldn't be shown on a
    > one-off basis, but that could get tedious pretty quickly if you have a lot
    > of these. A somewhat more elegant approach would be to create a container
    > control that would do this for you based on a list of allowed users or
    > roles.
    >
    >
    > > Any help much appreciated. If anyone has any other options that have
    > > worked
    > > well for them?
    > >
    > > Jono
    > >
    > > "Nicole Calinoiu" wrote:
    > >
    > >> What sort of details do you need?
    > >>
    > >>
    > >> "Jono Jones" <> wrote in message
    > >> news:...
    > >> > Hi there,
    > >> >
    > >> > Thanks for your reply. Could you fill in some more details about your
    > >> > proposed solution?
    > >> >
    > >> > Any answers are very much appreciated,
    > >> >
    > >> > Cheers,
    > >> >
    > >> > Jono
    > >> >
    > >> > "Nicole Calinoiu" wrote:
    > >> >
    > >> >> Have you considered using forms authentication in your application
    > >> >> coupled
    > >> >> with Windows integrated authentication at the IIS level? Rather than
    > >> >> having
    > >> >> a login page that prompts users for their credentials, you could then
    > >> >> simply
    > >> >> read their AD account name from the LOGON_USER server variable. The
    > >> >> role
    > >> >> set would be populated from the db as in any typical forms
    > >> >> authentication
    > >> >> scenario.
    > >> >>
    > >> >> For setting up page-specific authorization, you don't need separate
    > >> >> web.config files. Instead, you can use the system.web\location
    > >> >> element
    > >> >> to
    > >> >> set up different access rules for any pages or sub-directories that
    > >> >> required
    > >> >> separate configuration.
    > >> >>
    > >> >>
    > >> >>
    > >> >> "Jono Jones" <> wrote in message
    > >> >> news:...
    > >> >> > Hi there,
    > >> >> >
    > >> >> > We have 500 users on our network. I'm writing a web system (asp.net)
    > >> >> > where
    > >> >> > you can create a user and give them access to various sections of
    > >> >> > the
    > >> >> > site.
    > >> >> >
    > >> >> > To create a user you select and existing Active Directory user and
    > >> >> > just
    > >> >> > attach their permissions (to see different web pages/options on web
    > >> >> > pages)
    > >> >> > then save it to a database.
    > >> >> >
    > >> >> > The purpose is to have the system hanging off the intranet and it
    > >> >> > will
    > >> >> > seamlessly let registered users use the system without logging one
    > >> >> > (i.e.
    > >> >> > the
    > >> >> > fact they they are logged into windows is enough).
    > >> >> >
    > >> >> > In the default page I can pick up up the user logged into the
    > >> >> > machine
    > >> >> > and
    > >> >> > test against my DB like so:
    > >> >> >
    > >> >> > If
    > >> >> > temp.isUserRegistered(HttpContext.Current.User.Identity.Name().Split("\",
    > >> >> > 2)(1)) Then
    > >> >> >
    > >> >> > FormsAuthentication.RedirectFromLoginPage(HttpContext.Current.User.Identity.Name().Split("\",
    > >> >> > 2)(1), False)
    > >> >> > Response.Redirect("menu.aspx")
    > >> >> > end if
    > >> >> >
    > >> >> > What do I need to have set in iis and web.config to prevent users
    > >> >> > from
    > >> >> > just
    > >> >> > typing in the url for the menu to get into the system. I've had this
    > >> >> > working
    > >> >> > before with forms but not sure with this check with AD users.
    > >> >> >
    > >> >> > Further to this, how would I prevent certain content on a page being
    > >> >> > displayed to a user that doesn't have access to see that
    > >> >> > particularlink
    > >> >> > for
    > >> >> > example (and example might be a button to take you to the admin
    > >> >> > section, I
    > >> >> > don't want the button to be visible a normal user and I don't want a
    > >> >> > normal
    > >> >> > user to able to just browse to the admin.aspx page).
    > >> >> >
    > >> >> > One stipulation is that I can't have a seperate fodler for each type
    > >> >> > of
    > >> >> > access and thus have separate web.config files.
    > >> >> >
    > >> >> > Just to make it clear, the permissions are set in my web system and
    > >> >> > stored
    > >> >> > on my DB. I'm only using AD to check that the user currently logged
    > >> >> > in
    > >> >> > to
    > >> >> > windows is a user within this system (i.e. their username has been
    > >> >> > stored
    > >> >> > in
    > >> >> > DB with some permissions).
    > >> >> >
    > >> >> > Many thanks for any help on this one.
    > >> >> >
    > >> >> > Jono
    > >> >> >
    > >> >> >
    > >> >>
    > >> >>
    > >>
    > >>

    >
    >
    >
     
    Jono Jones, Apr 25, 2006
    #9
  10. Re: Authentication from Active Directory and Database based user d

    No, that's not necessary. If you use the forms authentication provider, you
    get to specify the user's role(s), so the roles used in the authorization
    elements can be the roles from your db rather than AD groups.


    "Jono Jones" <> wrote in message
    news:...
    > Hi Nicole,
    >
    > Thanks for this. I'll give it a go.
    >
    > My only worry is that I can't set roles in active diretory, I only have
    > roles in my database. So I guess I need to test for permission on a page
    > and
    > redirect using transfer if I you have no permission?
    >
    > Jono
    >
    >
    > "Nicole Calinoiu" wrote:
    >
    >> "Jono Jones" <> wrote in message
    >> news:...
    >> > Hi again,
    >> >
    >> > Not sure if the system.web\location options would give me what I need.
    >> > When
    >> > coding jsp struts I'm sure there was a tag you placed around a control
    >> > that
    >> > checked for access permision before displaying it (e.g. an admin
    >> > button).
    >> > Note sure how to use system.web\location to check for users in the
    >> > database
    >> > (e.g. user can view this page if logged and AND has right to view
    >> > page).

    >>
    >> If you configure IIS to only use Windows integrated authentication for
    >> your
    >> application, you don't need to worry if the user is "logged in" since it
    >> won't be possible for users to anonymously access the site. Therefore,
    >> you'll only need to worry about authorization based on assigned roles.
    >> The
    >> location elements can take care of this at the page level. e.g. (only
    >> authorization elements shown):
    >>
    >> <configuration>
    >> <system.web>
    >> <authorization>
    >> <allow roles="Admins" />
    >> <deny users="*" />
    >> </authorization>
    >> </system.web>
    >> <location path="SomeFile.aspx">
    >> <system.web>
    >> <authorization>
    >> <allow roles="Admins, RoleA, RoleB" />
    >> <deny users="* "/>
    >> </authorization>
    >> </system.web>
    >> </location>
    >> </configuration>
    >>
    >> If you're using fx 2.0, you can use the LoginView control for controlling
    >> if
    >> or how data is displayed based on user roles. There is no built-in
    >> mechanism for handling within-page section suppression based on roles in
    >> fx
    >> 1.x. You could write code to hide elements that shouldn't be shown on a
    >> one-off basis, but that could get tedious pretty quickly if you have a
    >> lot
    >> of these. A somewhat more elegant approach would be to create a
    >> container
    >> control that would do this for you based on a list of allowed users or
    >> roles.
    >>
    >>
    >> > Any help much appreciated. If anyone has any other options that have
    >> > worked
    >> > well for them?
    >> >
    >> > Jono
    >> >
    >> > "Nicole Calinoiu" wrote:
    >> >
    >> >> What sort of details do you need?
    >> >>
    >> >>
    >> >> "Jono Jones" <> wrote in message
    >> >> news:...
    >> >> > Hi there,
    >> >> >
    >> >> > Thanks for your reply. Could you fill in some more details about
    >> >> > your
    >> >> > proposed solution?
    >> >> >
    >> >> > Any answers are very much appreciated,
    >> >> >
    >> >> > Cheers,
    >> >> >
    >> >> > Jono
    >> >> >
    >> >> > "Nicole Calinoiu" wrote:
    >> >> >
    >> >> >> Have you considered using forms authentication in your application
    >> >> >> coupled
    >> >> >> with Windows integrated authentication at the IIS level? Rather
    >> >> >> than
    >> >> >> having
    >> >> >> a login page that prompts users for their credentials, you could
    >> >> >> then
    >> >> >> simply
    >> >> >> read their AD account name from the LOGON_USER server variable.
    >> >> >> The
    >> >> >> role
    >> >> >> set would be populated from the db as in any typical forms
    >> >> >> authentication
    >> >> >> scenario.
    >> >> >>
    >> >> >> For setting up page-specific authorization, you don't need separate
    >> >> >> web.config files. Instead, you can use the system.web\location
    >> >> >> element
    >> >> >> to
    >> >> >> set up different access rules for any pages or sub-directories that
    >> >> >> required
    >> >> >> separate configuration.
    >> >> >>
    >> >> >>
    >> >> >>
    >> >> >> "Jono Jones" <> wrote in message
    >> >> >> news:...
    >> >> >> > Hi there,
    >> >> >> >
    >> >> >> > We have 500 users on our network. I'm writing a web system
    >> >> >> > (asp.net)
    >> >> >> > where
    >> >> >> > you can create a user and give them access to various sections of
    >> >> >> > the
    >> >> >> > site.
    >> >> >> >
    >> >> >> > To create a user you select and existing Active Directory user
    >> >> >> > and
    >> >> >> > just
    >> >> >> > attach their permissions (to see different web pages/options on
    >> >> >> > web
    >> >> >> > pages)
    >> >> >> > then save it to a database.
    >> >> >> >
    >> >> >> > The purpose is to have the system hanging off the intranet and it
    >> >> >> > will
    >> >> >> > seamlessly let registered users use the system without logging
    >> >> >> > one
    >> >> >> > (i.e.
    >> >> >> > the
    >> >> >> > fact they they are logged into windows is enough).
    >> >> >> >
    >> >> >> > In the default page I can pick up up the user logged into the
    >> >> >> > machine
    >> >> >> > and
    >> >> >> > test against my DB like so:
    >> >> >> >
    >> >> >> > If
    >> >> >> > temp.isUserRegistered(HttpContext.Current.User.Identity.Name().Split("\",
    >> >> >> > 2)(1)) Then
    >> >> >> >
    >> >> >> > FormsAuthentication.RedirectFromLoginPage(HttpContext.Current.User.Identity.Name().Split("\",
    >> >> >> > 2)(1), False)
    >> >> >> > Response.Redirect("menu.aspx")
    >> >> >> > end if
    >> >> >> >
    >> >> >> > What do I need to have set in iis and web.config to prevent users
    >> >> >> > from
    >> >> >> > just
    >> >> >> > typing in the url for the menu to get into the system. I've had
    >> >> >> > this
    >> >> >> > working
    >> >> >> > before with forms but not sure with this check with AD users.
    >> >> >> >
    >> >> >> > Further to this, how would I prevent certain content on a page
    >> >> >> > being
    >> >> >> > displayed to a user that doesn't have access to see that
    >> >> >> > particularlink
    >> >> >> > for
    >> >> >> > example (and example might be a button to take you to the admin
    >> >> >> > section, I
    >> >> >> > don't want the button to be visible a normal user and I don't
    >> >> >> > want a
    >> >> >> > normal
    >> >> >> > user to able to just browse to the admin.aspx page).
    >> >> >> >
    >> >> >> > One stipulation is that I can't have a seperate fodler for each
    >> >> >> > type
    >> >> >> > of
    >> >> >> > access and thus have separate web.config files.
    >> >> >> >
    >> >> >> > Just to make it clear, the permissions are set in my web system
    >> >> >> > and
    >> >> >> > stored
    >> >> >> > on my DB. I'm only using AD to check that the user currently
    >> >> >> > logged
    >> >> >> > in
    >> >> >> > to
    >> >> >> > windows is a user within this system (i.e. their username has
    >> >> >> > been
    >> >> >> > stored
    >> >> >> > in
    >> >> >> > DB with some permissions).
    >> >> >> >
    >> >> >> > Many thanks for any help on this one.
    >> >> >> >
    >> >> >> > Jono
    >> >> >> >
    >> >> >> >
    >> >> >>
    >> >> >>
    >> >>
    >> >>

    >>
    >>
    >>
     
    Nicole Calinoiu, Apr 25, 2006
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Patirck Ige
    Replies:
    4
    Views:
    405
    =?Utf-8?B?UGF0cmljay5PIC5JZ2U=?=
    Oct 31, 2005
  2. Replies:
    4
    Views:
    7,358
  3. Biranchi Narayan Panda

    Role-based authentication from active directory

    Biranchi Narayan Panda, Feb 15, 2010, in forum: ASP .Net
    Replies:
    2
    Views:
    1,063
    Alexey Smirnov
    Feb 16, 2010
  4. PPL-KMS
    Replies:
    1
    Views:
    200
    Paul Clement
    Oct 5, 2004
  5. Patrick.O.Ige

    Role based Forms Authentication (using Active Directory)

    Patrick.O.Ige, Oct 25, 2004, in forum: ASP .Net Security
    Replies:
    1
    Views:
    198
    Mary Chipman
    Oct 27, 2004
Loading...

Share This Page